Forgot your password?
typodupeerror
OS X Security IT Apple

Mac Malware Evolves - No Install Password Required 374

Posted by samzenpus
from the under-the-wire dept.
An anonymous reader writes "The latest versions of the Mac Defender malware attacks no longer require users to enter their admin credentials (username and password) upon install. A threat called 'Mac Guard' installs itself into areas of the Mac OS X system that only require standard user privilege. On Windows the criminals did this to avoid UAC warnings, and have copied this trick to their Mac OS X releases."
This discussion has been archived. No new comments can be posted.

Mac Malware Evolves - No Install Password Required

Comments Filter:
  • by mms3k (2192016) on Thursday May 26, 2011 @11:00AM (#36250894)
    I always find it stupid that even here people say that malware on Linux would not be able to gain root like in Windows. Spam bots, fake antiviruses, password stealing nasties and so on run perfectly fine under normal user account. There is no reason why they would require admin privileges. All the personal files are accessible on normal user account and spam can be send without root too. Sure, it could hide a little bit better if it had root access, but there's plenty of tricks to pull out under normal account too. It's like a guy making everything overcomplicated by thinking how he needs to act like a perfect guy and take the girl to a fancy restaurant and many dates before having intercourse with her. Sometimes it's just easier to go for a ladyboy - a woman with mens desire for sex. Requiring access to root account would be more common situation with something like hacking servers since you need to modify logs and really hide in the system. Most likely you also need to get access to HTTP ports and under Linux you need root account for those. But malware runs perfectly fine under user account.
  • by betterunixthanunix (980855) on Thursday May 26, 2011 @11:02AM (#36250910)
    ...is anyone actually surprised by this?
    • Re:No surprises here (Score:4, Informative)

      by Low Ranked Craig (1327799) on Thursday May 26, 2011 @11:24AM (#36251212)
      Not really. And I wasn't really surprised to find that this is a slashvertisment. Sophos makes anti-virus software for Macs. I prefer to get my news from someone who doesn't have a vested interest in selling me stuff directly related to the content of the article.
      • Security companies of all types release information about vulnerabilities...that's nothing new.

        Sophos has been around for years and are widely acknowledged as a leader in security software...they simply aren't that well know in the US. Same goes for Kaspersky...been around for years, but the marketing giants of McAfee and Symantec are simply more well known in the states.

        I'd rather someone out there let folks know about these issues when they find out and it never hurts if they also provide a solution.

        If t

    • Re:No surprises here (Score:5, Interesting)

      by Low Ranked Craig (1327799) on Thursday May 26, 2011 @11:30AM (#36251300)
      Follow up. I find it interesting that they gloss over the fact that to completely avoid this all you need to do is turn off download safe files in safari, and/or not be stupid. Their solution is to purchase their anti-malware package for Mac. Question for samzenpus, how much did these guys pay you to post this?
      • by gad_zuki! (70830) on Thursday May 26, 2011 @11:42AM (#36251478)

        That's a little like saying "Oh just run noscript or make disable the java plugin" in the Windows world. Most end user have no clue what "safe files" are or what any of what you wrote means.

        Not to mention, any web based exploit can install this malware now. It runs purely in userland. Java exploits, flash exploits, browser exploits, etc open the gate for this malware. Today its the safe files in Safari, tomorrow its one of dozens of Java exploits.

        Its simply easier for end users to do updates and buy an AV than to dick around with settings they don't remotely understand. To Apple's benefit they're usually good about software updates and also update Java (at least for now).

        • It's not the same or even close. Open Safari, from the Menu -> Safari -> Preferences. On the first page un-check "open safe files after downloading". The point being that if this was truly an informative article and not an advertisement they could have included this little bit there. Having that option checked is a prerequisite for this exploit.
      • Re:No surprises here (Score:5, Informative)

        by thoromyr (673646) on Thursday May 26, 2011 @11:51AM (#36251618)

        not just that, but the sophos article glosses over the fact that you still get

        1. an operating system warning about executing a file downloaded from the internet (complete with reference to where it was downloaded from). They mention it in the text, but omit it in their "slideshow" showing the steps to getting infected.

        2. an osx installer gui which means it can be canceled

        What this is *not* is a hidden and silent install like what is going on with Windows.

      • by amicusNYCL (1538833) on Thursday May 26, 2011 @12:46PM (#36252414)

        I find it interesting that they gloss over the fact that to completely avoid this all you need to do is turn off download safe files in safari, and/or not be stupid. Their solution is to purchase their anti-malware package for Mac.

        So you're under the assumption that if you disable this particular setting, then you are now immune to all present and future malware on a Mac, correct? That proactive things like anti-virus or malware scanning are unnecessary, right? That the entire Mac malware threat ends with a single checkbox, is that about it?

        You realize that nearly every time a piece of malware comes out for Windows that there's typically a single setting you can change to mitigate that one specific threat, right? Has that fact stopped criminals from finding new infection vectors?

        The news here is not this one piece of software, or how it gets installed, or what it does, or how to stop it. The news is the fact that the professional malware authors are now targeting Macs, and they have the automated toolkits to do it. A little checkbox in your browser isn't going to change that fact.

    • by gad_zuki! (70830) on Thursday May 26, 2011 @11:38AM (#36251428)

      How about the comments in the last article from the fanboys screaming "BUT THEY NEED TO PUT IN THEIR PASSWORD UNLIKE SHITTY WINDOWS" and then modded up to +5 insightful.

      Welcome to the new reality. I think they'll find that userland rights on any modern OS are pretty lenient and will allow for a great deal of scammy malware activities. Malware doesnt need to run in any system directory or open any low ports or anything.

      Now is probably a good time to invest in OSX AV products.

  • PEBKAC (Score:5, Informative)

    by Hatta (162192) on Thursday May 26, 2011 @11:04AM (#36250942) Journal

    This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.

    • Re:PEBKAC (Score:5, Funny)

      by Anonymous Coward on Thursday May 26, 2011 @11:10AM (#36251000)

      Comments like that make me think you are not participating in the two minute hate.

      Just embrace the hate of apple and join the group think.

    • by Ryanrule (1657199)
      So, you are saying the computer is fucked upon purchase? FUP?
    • by TWX (665546)

      That's what I've always liked about proper user versus management privileges on a computer- when the user who isn't the computer's owner or admin b0rks their account, you just nuke the account and recreate or just nuke the home directory, backing up only if they're important enough for it to cost you if you don't. Unfortunately, when the "admin" is the owner and only has user-level knowledge, they're probably not willing to nuke their own account, assuming they're not running with too many privileges in th

      • Re:PEBKAC (Score:5, Insightful)

        by Talderas (1212466) on Thursday May 26, 2011 @11:17AM (#36251118)

        On a somewhat-unrelated note, it still blows my mind when enterprise level IT still has users with full admin rights over the local workstation, as those machines constantly and continually get infected and reinfected through the ignorance of the users. Sure, it means that a user can add a local device more complicate than a printer without calling the helpdesk, but it also means that any piece of unauthorized software, whether the user intended to install it or not, or whether it's benign or malicious, gets on to the computer. When the IT department sets up the computers and privileges properly, and if the OS doesn't have local root exploits so large one can drive a Mack truck through, the user can do a lot less damage.

        It's not entirely unsurprising. Telling the company owner that "We need to change the level of permissions everyone has on their machines, which means they won't be able to do this, this, and this." after the company owner and the entire user base is accustomed to having that level of permission doesn't typically get a go ahead flag from the company owner.

      • On a somewhat-unrelated note, it still blows my mind when enterprise level IT still has users with full admin rights over the local workstation, as those machines constantly and continually get infected and reinfected through the ignorance of the users. Sure, it means that a user can add a local device more complicate than a printer without calling the helpdesk, but it also means that any piece of unauthorized software, whether the user intended to install it or not, or whether it's benign or malicious, gets on to the computer. When the IT department sets up the computers and privileges properly, and if the OS doesn't have local root exploits so large one can drive a Mack truck through, the user can do a lot less damage.

        That's funny because the only cases of malware being placed on computers where I work was done by the IT people themselves. None of us "plebes" have ever done so.

    • And now it can do less damage because it's running without admin privileges. Should be a lot easier to remove too.

      • For the small fraction of people that have more than one active account on their Mac, sure, but for most people it will do the same amount of damage.

        • Re:PEBKAC (Score:4, Interesting)

          by BitZtream (692029) on Thursday May 26, 2011 @11:24AM (#36251198)

          Just putting itself in the Applications directory doesn't do anything special, users still have to run it. The Applications directory isn't setuid or anything like that, it doesn't make the app run as root, it doesn't have anything to do with startup or anything else, you're just allowed to create files in the Applications directory.

          As I pointed out elsewhere, the intelligent thing to do would be to install to the users home directory as most non-techie Mac users will NEVER look in their home directory and notice it, thats just someplace they don't generally have to go, thats what the Documents, Pictures, Music and other folders are for. Unlike the Applications directory where users are bound to be looking at least once in a while.

          The end result would be the same, all its going to do is effect a single user.

          Now if it was intelligent, it'd modify the plist of an existing app to take itself on as the app launcher, then start the real app itself, which would possibly be used by other users on the system. You wouldn't be able to do it to the Apple builtin apps as permissions still require you to be root to modify it, but some other app the user installed will be owned by them and modifiable.

          Back when they were asking for a password, they should have been installing a kernel extension to cloak themselves and make removal without booting from a clean drive impossible.

          This 'malware' is like most Mac users, its a joke, its not even a little bit impressive, it just happens to be the first one noticed.

          Just wait until the Windows malware writers start putting some effort into OSX, THEN it'll get nasty.

          • This 'malware' is like most Mac users, its a joke, its not even a little bit impressive, it just happens to be the first one noticed.

            Maybe we can say that using a Mac damages the brain so much that even the malware writers can't do a good job.

          • The end result would be the same, all its going to do is effect a single user.

            Until that userspace malware exploits something to elevate itself to root.

            Just because it starts as a limited user doesn't mean it won't go somewhere :).

          • Re:PEBKAC (Score:4, Insightful)

            by psydeshow (154300) on Thursday May 26, 2011 @02:18PM (#36253770) Homepage

            The end result would be the same, all its going to do is effect a single user.

            Can we retire this meme?

            Nobody besides IT gives a shit if the trojan can hack into the kernel or system libraries. If it can run in user space it has access to my contacts, my photos, my browser history, my bookmarks, my email, my music, and pretty much every-fscking-thing I care about on the computer. It can send mail as me, post to websites as me, drop files in my downloads folder, and put stuff on my desktop.

            I mean, great that it can't infest drivers and start servers below port 1024. But the primary user of the computer (the non-admin shlub who actually needs to get work done) is infected.

    • But now it compromises slightly smarter users, widening its success rate by some degree.
    • by TimeElf1 (781120)

      This still requires the user to deliberately install the malware. Since it's not compromising the system, but the user, it doesn't need privileges to do this.

      Gee, users deliberately installing things that might be harmful for their computer? I can't ever see that happening....

      • by tepples (727027)

        Gee, users deliberately installing things that might be harmful for their computer?

        Conventional antivirus software acts as a blacklist. Mac App Store acts as a centrally managed whitelist. Do you recommend either of these two approaches, or do you recommend a third one [tvtropes.org] that's less widely known?

    • by Lumpy (12016)

      Stop bringing truth and facts into this.....

    • by nlawalker (804108)

      Clearly, then, this malware was engineered by Apple itself to cull from its userbase those that it felt were not worthy of their computing experience. I mean, seriously, no one who dares install apps from anywhere other than the App Store(TM) should be able to call themselves an Apple user.

    • Re:PEBKAC (Score:5, Insightful)

      by makomk (752139) on Thursday May 26, 2011 @01:29PM (#36253088) Journal

      This still requires the user to deliberately install the malware.

      Something like 97% of Windows malware infections these days are caused by users "deliberately" installing malware, and that's with Windows putting a lot more obstacles in the way of websites wanting to convince users they should install something malicious than Mac OS X does. Doesn't stop Windows malware infections from being a big selling point for Macs. (Even in the bad old days of Windows security, an awful lot of infections were due to users agreeing to install the malware.)

  • I am safe. (Score:5, Funny)

    by Anonymous Coward on Thursday May 26, 2011 @11:08AM (#36250980)

    My PC can't get Mac malware.

    • by BobNET (119675) on Thursday May 26, 2011 @11:30AM (#36251306)

      You laugh now, but it's only a matter of time before PCs become popular enough that malware writers start targeting them instead.

  • by CharlyFoxtrot (1607527) on Thursday May 26, 2011 @11:09AM (#36250998)

    So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.

    • Theres no reason the malware cant install in usermode, and also attempt an elevated install for real rootkit goodness.

      • True but if they were capable of using a real exploit wouldn't they do so directly ? The more work these asshats have to do to get into the system the more chance there is of detecting and/or stopping them at some intermediate point.

    • So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.

      It also means that whatever files exist and whatever changes are made live somewhere in that user's profile.

      The Windows malware that does this is annoying because it can sneak in without admin rights... But it is easily removed by simply logging in as a different user and deleting the infected profile.

    • by 0123456 (636235)

      So that means it's now running with only user privileges instead of admin rights, which seems like a slight improvement for those dumb enough to install it.

      Not when it logs your banking passwords and sends them to the Russian Mafia. Most of the things that malware wants to do can be done in user mode as well as admin.

      • Sure but if your kid installs this under his/her account then mommy & daddy are still safe, for now at least. And it'll be a lot easier to purge something that didn't have admin rights from the system.

    • by vwjeff (709903) on Thursday May 26, 2011 @11:30AM (#36251310)
      This just gives Apple one more reason to force all application installs via the app store in future versions of the OS. The other reason of course is money.
      • It'll never happen. A lot more mac users are power users than the stereotypes suggest and these people just wouldn't accept it. At most they could go with an opt-out system. Otherwise I think app-stores are more of a positive evolution than people give them credit for, when they are not shoved down your throat that is. The signing of software to guarantee that it hasn't been modified or tampered with is a no-brainer, a bit like having shrink-wrap around a box-set of physical media.

      • Then they would lose a good deal of their user base.

        Unlike popular believe lots of Mac users are actually geeks working in the software industries.

        Unless Eclipse, Tomcat, the Spring Framework etc. etc. is all available via an Appstore: FOR FREE ... such a move would be a very bad idea.

        angel'o'sphere

  • Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security. Any malware can run in the user space of any os if the user installs it (and they wiil); and at minimum it has access to all of a user's private data. That should be just as worrisome as a single user machine getting rootkitted - while the harm to the system is g
    • Re: (Score:3, Insightful)

      by _Sprocket_ (42527)

      Hi profile attacks that occur in user space help to underscore that the obsession OS vendors have with admin access doesn't do much of anything to prevent a machine from being compromised -- it only serves to give users a false sense of security.

      I have a hard time completely dismissing privilege escalation. There is still some value in being able to separate user data from the system proper - if only to make clean-up easier. But I do completely agree with the overall lesson here. An overly simplified view of security might very well overlook the fact that there's still a lot of value with operating in the context of an unprivileged user. And as such, users should remain wary whenever they're acting outside the boundaries of their local environ

      • Exactly this. I would even go so far as to say that the extent to which we try to protect the user is causing more harm than good. We teach then to click through warnings as you say, because that is the path they must follow to complete the tasl at hand. worse we teach them that antivirus makes them - even though we know this isn't possible. To make a truly safe experience, the user must be willing to accept a locked down walled garden, permitting only approved software to execute on the machine. Anythin
  • Real issue (Score:2, Informative)

    by Anonymous Coward

    The only real issue is the "auto-download safe content" default option in Safari.It should'nt be enabled by default. Just uncheck it.

    Another case of iClicitys (rush of advertisement clics generated by apple buzz)

  • by wandazulu (265281) on Thursday May 26, 2011 @11:11AM (#36251030)

    So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.

    • Re:The difference (Score:5, Insightful)

      by betterunixthanunix (980855) on Thursday May 26, 2011 @11:17AM (#36251112)

      This means the problem would be isolated to that particular user's account.

      For many home users, that is all that really matters. We are not talking about an enterprise setup here, we are talking about some person's laptop. Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.

      • by 0123456 (636235)

        Frankly, in an enterprise setup I would be surprised if user home directories were not mounted with noexec (or whatever such an option would be called in Mac OS X), which would thwart this problem.

        It would reduce the problem, not eliminate it. Just because you can't run $HOME/malware.sh directly doesn't mean you can't 'bash $HOME/malware.sh'.

        • That much is true, which is why I said "thwart" and not "completely eliminate." Now, with a bit of work, you could stop users from doing that as well -- set up the right SELinux policies/contexts and whatnot -- and thus mitigate the threat further. In the end, it really depends on what exactly you are trying to do, and what your users need to be able to do. If your users only need to be able to launch a web browser and email client, then go ahead and stop them from running bash.
      • The "BUT IT DOESN'T INFECT THE SYSTEM!" screaming is just a geek defense mechanism that shows ignorance of how computers are actually used. Nobody at work gives a shit about the system. They don't care about the OS, the applications. They've learned that we, the IT people, can get that all back and running quickly. None of it matters to them.

        What matters is their data. That is what they want, what they worry about. From the important, like actual work, to the trivial like bookmarks and backgrounds, that is

    • by geekoid (135745)

      Except it will probably infect a trusted executable, and then when the trusted executable asks for elevated privileges nearly everyone will allow it to have them.

    • So instead of installing into /Applications, which does require an admin username and password, it now likely installs somewhere in the user's home folder, which doesn't require admin authorization. This means the problem would be isolated to that particular user's account.

      And this is ok? When you consider that most systems that are not servers have only one or two users, the fact that it's limited to one account doesn't mean much of anything all. That's one account having its passwords and cc info gleefully distributed, among other things. Do you really think it matters that the admin account has not been compromised? (yet - once installed it's trivial to trick the user into providing admin access)

  • So either the patch will already recognize and remove this, or they will have to issue another little update to take care of it completely. Given that they are not compromising any privileges, stopping this should be ridiculously easy. Why are these guys even bothering?

    Unless perhaps they are trying to get an installed base with the current package, which can then perhaps help with a real exploit - e.g. directing a browser to a website that exploits a real vulnerability.

    • by geekoid (135745)

      Or they want to infect a trusted file, or more likely, the user info they want will resides in the users directory.

      For the most part, modern attackers don't want to damage your computer, they want to get personal info. CC numbers and the like.

      IT's best for them if there attack as no noticeable impact on a system.

    • I'm really curious just what Apple will do in a patch to prevent this. You could of course recognize one variant, but you can't easily find an infinite number of variations... especially when there's so little difference between a trojan and some application that is meant to be downloaded and run.

      The funny thing is currently the absolute safest recommendation you can make to a Mac user to keep them safe is to NOT install any anti-virus software.

  • Originally this malware asked for an admin password which means it could get access to admin privileges. This new variant installs under user permissions which means that the admin can more easily remove it. That is assuming users don't run as admin. BTW, this variant still requires user intervention to install so it's not quite a virus or worm but still a Trojan.
  • by G3ckoG33k (647276) on Thursday May 26, 2011 @11:18AM (#36251126)

    Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)

    • by 0123456 (636235)

      Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)

      If you download and run random programs on any OS I've used you're vulnerable to malware. You could partially mitigate it by mounting /home as noexec, and you could probably use SELinux to prevent users from running any applications from /home, but that's a pain.

      • you could probably use SELinux to prevent users from running any applications from /home, but that's a pain.

        How is that a pain? Have you ever tried it? In Fedora, it is a matter of setting an SELinux boolean (allow_user_exec_content) and setting the user as user_u. This is literally two things to click on in the SELinux GUI tool, or two commands to run in a terminal. This might annoy users who want to do things like write scripts, but if your goal is to defend against this kind of malware, then that is what you have to do.

        Of course, most home users are unaware of noexec/SELinux and would need the family

        • by 0123456 (636235)

          How is that a pain?

          If you're not using a Fedora-based OS then SELinux probably doesn't work, and any competent Unix user probably has a bunch of scripts in $HOME that they use to do random things; I certainly do. I could put them in /usr/local/bin instead but that's a pain in itself.

          You also need to ensure that /tmp and /var/tmp are noexec, which Ubuntu, at least, seems to dislike. On the plus side, /tmp is normally a RAM disk so any malware installed there will vanish at the next reboot.

          • If you're not using a Fedora-based OS then SELinux probably doesn't work,

            Well, there is also AppArmor, TrustedBSD, TrustedSolaris, etc. The real point here is that mandatory access control does not have to be a hard thing to use, especially if you are trying to do something common like prevent a particular user from executing programs in their home directory. I cannot comment much on how easy AppArmor/etc. are to use, since I have not actually used them.

            You also need to ensure that /tmp and /var/tmp are noexec, which Ubuntu, at least, seems to dislike.

            That screams "problem" to me, but theoretically an SELinux policy could be written to allow this for whatever specific pr

        • I don't know what the GP meant by calling noexec and SELinux a pain, but as a developer and "poweruser," I have legitimate reasons throughout the day for executing programs from /home. So, while it's clearly not a pain setting up noexec and SELinux, it is a pain just dealing with the result.

          The said, as a savvy user, I'm also not dumb enough to run random programs off of the internet, so I don't lose sleep from being able to execute stuff from /home.
      • by Lumpy (12016)

        Under linux you have to download it, turn on the execute bit and set the permissions and THEN execute it.
        Nope no chance in hell that a user will fall for this under linux. if they launch random crap they will never be able to set it to execute.

        • by 0123456 (636235)

          Under linux you have to download it, turn on the execute bit and set the permissions and THEN execute it.

          "To install the Cute Kitty screensaver, download malware.sh, open a Terminal window and type 'bash malware.sh'."

          Yeah, it's a pain, but more than a few people will do it in order to see cute kitties or b00b13s. The only way to stop them from doing it is to ensure they can't run anything that isn't in a system directory.

          And, even then, they'll still install random Firefox plugins which don't require execute permission or root access.

        • $sh [insert script name here]

          No execute bit needs to be set.

          Need proof?

          $vi test

          #!/bin/bash
          echo "This is a test"

          :x

          ./test
          bash: ./test: Permission denied

          Looks promising. Now lets tell bash to run that script without setting the execute bit.

          $sh test
          This is a test

          Yep, it executed.

      • by FudRucker (866063)
        what if /home was in its own disk partition and mounted with a noexe parameter? i guess /tmp and /var would have to get the same treatment too...
    • by itsdapead (734413)

      Does the principle apply to Linux? If yes, then it matters, for nerds, for real. ;)

      Here's how to find out:
      $ cat > nasty.c
      #include <stdio.h>
      void main() { puts("Oh No! The sky is falling!\n"); }
      $ gcc nasty.c
      $ ./a.out

      If your Linux prints "Oh No! The sky is falling!" then yes you have the OMG, my computer lets me run code in user mode! vulnerability. Remain calm - walk (don't run) to your local Apple store and buy an iPad, which is safely locked down so that you can't run any old code on it, even if you want to.

      So what's it to be folks? Should the Holy Jobs lock down OS

      • by itsdapead (734413)

        PS: I know I shouldn't have put "void" in front of "main" but its 15 years since I wrote any serious C, and malware is supposed to be badly-written, isn't it?

  • by hellfire (86129) <deviladv.gmail@com> on Thursday May 26, 2011 @11:19AM (#36251142) Homepage

    The malware is evolving from taking advantage of bugs in Windows, to social engineering. I had malware scanning on my PC because malware could get in the back door via services and other areas. Now, they are installing it right in front of your face trying to masquerade as something else.

    They are going from the thief in the night who exploits the bad lock in the back door, to walking in the front door acting like the delivery man and given the run of the building by unsuspecting human beings. They are no longer exploiting Windows or Mac OS X... they are exploiting the users directly and making it look like it's the OS's fault.

    I've seen plenty of PCs pwned by this type of malware, and it wasn't Windows fault in those situations either, the user simple installed something that took over the system.

    • by JSBiff (87824)

      I think another point might be that the malware is evolving from doing things which might require system-wide admin privileges, to just doing things which require lower levels of access.

      My first thought when I saw an article posted on Ars Technica yesterday, about this change in the malware, was, "But, wouldn't that mean the malware has to run at lower privilege levels"?

      Then I realized that something running at "user" privilege levels instead of root, can still be bad. It could probably still keylog that pa

  • You are still required to click through an install wizard, so this is in no shape or form an install performed without the user.

    • by robmv (855035)

      is that OS X install wizard build by the OS?, or is it an executable coded by the malware author? if the answer is true to the last question, why is needed to continue the install wizard?, the malware author can add code before opening it to install anything they want even if you press cancel

      The problem is Safari setting to open "safe" files automatically, that is the most dumb thing a browser can do

  • So uh... (Score:4, Insightful)

    by bmo (77928) on Thursday May 26, 2011 @11:41AM (#36251470)

    Where, exactly, is this going to hide from htop, top, ps or any other process listing facility?

    Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."

    As a user process, it also cannot patch top, ps, or htop, or any other process lister. It cannot fuck with logs. It cannot do anything at all that the ordinary user cannot do. Indeed it runs under the same UID as the logged in user.

    ps -uax | grep $USER
    OH HEY GUYS THAT LOOKS WEIRD
    killall -9 $SUSPICIOUS PROGRAM
    rm $PATHTOSUSPICIOUSPROGRAM/SUSPICIOUSPROGRAM

    And not even have to have a # in your prompt. No sudo, no su, no nothing.

    Go on with life

    Wow. That's...difficult.

    --
    BMO

    • by robmv (855035)

      With tricks like this Howto change a UNIX process and child process name by modifying argv[0] [uofr.net]

      For example sendmail change it to this "sendmail: accepting connections"

    • by robmv (855035)

      oops I forgot, when the malware is installed, it can just change all your init session scripts, prepend a directory to your PATH, install new versions of ps, top, htop, kill,.... not impossible to detect, but it can hide itself a little more that simple running ps and kill

    • Re: (Score:3, Informative)

      by Arrepiadd (688829)

      Yes, I can clearly see my mom running that on her laptop...

      This is a problem for the random user, not for the geeks who know what ps, grep and piping are used for.

    • by drinkypoo (153816)

      Unlike Windows, OSX and Linux and every other sane OS in the universe, there is no such thing as a "hidden process."

      There are no hidden processes in Windows, only those which the task manager will not display. Get process explorer, it's free.

  • by lpp (115405) on Thursday May 26, 2011 @11:48AM (#36251566) Homepage Journal

    That seems like it's not really any protection at all. Most Macs are likely single user setups anyway. Sometimes, sure, you'll have some other users on the machine, but most of them are likely just tied to one user.

    To that one user, their files are the critical component of the machine. If they bought the machine, they have the reinstall discs for the OS, plus those of any upgrades. Annoying? You betcha. But if they haven't been backing up their files (shame on them) then having to reinstall the OS is the LEAST of their worries.

    And this of course goes for Windows and Linux installs as well. And really, even in a multi-user/single-machine scenario, while the damage is limited, it is still potentially devastating for the user involved. And again, for many (most?) installs, there's only one user that matters anyway.

Real Users find the one combination of bizarre input values that shuts down the system for days.

Working...